Generate a cynamically unique Azure Kkey Vault name at creation. Store keyvault name output for other process and destruction

[fpittelo]

To easily create and destroy Azure Key Vault's, a dynamic unique name must be generated at creation.

Suggestion: ""env"-alpinebot-kv-"unique number" --> Ex: "dev-alpinebot-kv-1234"

The dynamically created name must be stored so others Terraform process can get this information, especially pay attention to all the .github/workflows/* destroy.yaml's to make sure the processess can destroy the Key Vautl.

Important point: Keyvaut, keys and secrets should have no protection, no soft delete. Goal: All should be purged at destruction

[fpittelo]

Here is the proposed plan to address this issue:

Issue #101: Dynamic Key Vault Naming and Destruction

Goal

Implement dynamic, unique naming for the Azure Key Vault to facilitate easy creation and destruction, ensuring that the Key Vault is properly purged upon destruction.

User Review Required

Important

Breaking Change: The Key Vault name will change. This will trigger the destruction of the existing Key Vault and the creation of a new one. All existing secrets in the old Key Vault will be lost unless manually backed up. Since this is a dev/qa/main environment, please ensure this is acceptable. The issue implies this is desired ("To easily create and destroy...").

Proposed Changes

Infrastructure (infra/)

[MODIFY] infra/main.tf

• Add resource "random_integer" "kv_suffix" to generate a unique 4-digit number.
• Update module "key_vault" to use a dynamic name: "${local.environment_vars.az_kv_name}-${random_integer.kv_suffix.result}".

[MODIFY] infra/outputs.tf

• Add output "key_vault_name" to expose the generated Key Vault name.

Modules (modules/)

[MODIFY] modules/key_vault/outputs.tf

• Ensure key_vault_name is outputted (if not already).

Workflows (.github/workflows/)

[MODIFY] .github/workflows/deploy-infra.yaml

• Update the "Set Key Vault Firewall to Allow" step to dynamically find the Key Vault name using Azure CLI, as the name is no longer static.
  • Command: az keyvault list --resource-group "$RG_NAME" --query "[?starts_with(name, '${{ env.ENVIRONMENT }}-alpinebot-vault-')].name | [0]" -o tsv

Verification Plan

Automated Tests

• The GitHub Actions workflows deploy-infra.yaml and destroy.yaml act as the automated tests.

Manual Verification

1. Deploy to Dev: Trigger deploy-infra for the dev environment.
2. Verify Creation: Check Azure Portal or CLI to confirm Key Vault is created with the format dev-alpinebot-vault-XXXX.
3. Verify Workflow: Ensure the "Set Key Vault Firewall to Allow" step in deploy-infra succeeds (it should either find the KV and update it, or gracefully skip if it's a fresh create).
4. Verify Destruction: Trigger destroy.yaml for dev.
5. Verify Purge: Confirm the Key Vault is deleted and purged (not in soft-delete state). infra/providers.tf already has purge_soft_delete_on_destroy = true, so this should happen automatically.

[fpittelo]

Solved